Cyber money heist: Why companies paying off hackers fuels ransomware crimes
SINGAPORE: Companies that pay the ransom when cybercriminals hack their systems could validate the act and contribute to the growth and persistence of ransomware attacks, warned analysts.
The comments come after China’s biggest lender, the Industrial and Commercial Bank of China (ICBC), reportedly paid a ransom to cybercriminals group Lockbit after hackers breached the bank’s US unit.
"They paid a ransom, deal closed," a Lockbit representative told Reuters on Nov 13.
Lockbit, a ransomware group first seen on Russian-language cybercrime forums in January 2020, has been detected all over the world. In just three years, it has become one of the world’s top ransomware threats, targeting big corporations such as Boeing, Taiwanese chip giant TSMC, and the UK Royal Mail.
CNA spoke to cybersecurity analysts to find out why companies give in to hackers' demands and how paying off these cybercriminals is fuelling ransomware crimes.
DANGEROUS PRECEDENTS
Companies should refrain from paying hackers as it sets dangerous precedents for future targets and validates their criminal acts, cybersecurity analysts told CNA.
Besides "funding organised crime at best, and terrorism at worst", companies that pay the ransom reinforce hackers' effectiveness as a criminal tool of cyber-extortion, said Dr Steve Kerrison, a cybersecurity senior lecturer at James Cook University Singapore
Paying the ransom might cause organisations to be perceived by cybercriminals as easy targets that are willing to comply with ransom demands, added Shahnawaz Backer, a senior solutions architect at tech security company F5.
"This might increase their likelihood of being targeted again."
He noted that the paying of ransom might lead to an "expansion of ransomware operations in the overall threat landscape" by increasing the financial incentive of such attacks.
"If attackers believe that organisations are willing to pay, they are more likely to target other entities."
This is apparent following a string of similar attacks by ransomware groups in recent months.
Lockbit, which claims some of this year’s biggest hacks, said that it has revised the way it tries to blackmail its victims because it is "unhappy with the revenue" it sees from ransom payouts, Bloomberg News reported on Nov 16, citing a ransomware cybercrime researcher from Analyst1.
The researcher noted that many of the affiliates of the Russian-linked group were young and inexperienced in negotiations, leading to "inconsistent and often low ransom amounts that decreased overall revenue and set an unfavourable tone for future negotiations".
Lockbit's leaders reportedly created new rules and tactics which took effect on Oct 1 for hackers to follow when dealing with victims, according to Bloomberg News.
ONCE BITTEN, TWICE BITTEN
Each ransom payment subsidises roughly nine future attacks, noted Ryan Flores from cybersecurity company Trend Micro, citing a study the company conducted with Waratah Analytics.
“This is the case despite only 10 per cent of ransomware victims studied paying their extorters,” said the senior manager of APAC threat research, adding that those same victims were found to be forced to pay more for each compromise.
"If a threat actor knows that companies are willing to pay the ransom, they may even escalate demands in future attacks."
Paying the ransom may also be "doubly damaging" as some ransomware groups have been known to proceed with their threats even after receiving the money from companies, noted Dr Kerrison.
There is also no assurance that paying the ransom will result in the return of stolen data or prevent its potential leakage, said Heng Mok from cybersecurity firm Zscaler.
"This establishes a cycle of financial support for criminal enterprises and perpetuates the threat landscape," added the chief information security officer for Asia Pacific and Japan.
For example, US delivery company Dolly.com allegedly paid a ransom to attackers but had its customers’ data published as the payment received was not enough, online publication Cybernews reported on Nov 15.
Meanwhile, Techwire Asia reported in April that 83 per cent of companies admitted to paying ransoms on more than one occasion.
The cost of recovery does not change even if a victim opts to pay the ransom, noted Mr Flores.
"There will still be a need for proper incident response, recovery, and implementation of security measures to prevent future breaches," he added.
"Paying a ransom drives the overall cost of the incident in that sense — the ransom cost and cost of recovery."
80 PER CENT OF VICTIMS PAY RANSOM
Analysts told CNA that it is common for companies to pay up in a bid to protect their data, with Forbes reporting about 80 per cent of 1,200 victims surveyed decided to do so.
More than 72 per cent of businesses were affected by ransomware attacks as of 2023, Mr Backer told CNA, noting that it was an increase from the previous five years and was by far the highest figure reported.
Predictions also indicate ransomware will cost victims roughly US$265 billion annually by 2031, he added.
"In the heat of the moment and with pressures mounting, the decision to pay a ransom is definitely not an easy one," said Mr Flores.
"Many choose to opt for this route for a few reasons, with the most common one being faster recovery time. With business operations and continuity at stake, paying the ransom and obtaining the decryption tool in return is sometimes the quicker option to resume activity."
According to media reports in 2019, ride-hailing platform Uber allegedly paid a US$100,000 ransom and had the hackers sign non-disclosure agreements in exchange for the payment.
This shows that organisations are worried, noted Mr Backer.
Regarding banks like ICBC paying ransoms, he said such information is not usually disclosed to the public due to the sensitive nature of the incidents.
"Many organisations, including banks, may not disclose this due to concerns about reputation, legal implications, and the encouragement of further attacks."
However, Dr Kerrison noted that the intention behind companies paying ransoms "might not always be to keep it a secret".
"Rather, it's the best option available to them in the circumstances," he said.
Mr Backer added that claims by attackers should be "treated with caution" as they might not always accurately reflect the reality of the situation.
Analysts also told CNA the rise of the ransomware-as-a-service (RaaS) model is one of the driving factors in the increase in ransom payment.
"RaaS made it possible for low-skilled cybercriminals to join the illicit industry ultimately contributing to the surge in the number of victims," said He Feixiang, an adversary intelligence research lead at Group-IB.
The RaaS business model allows individuals to develop and distribute ransomware, paying the affiliates for successful attacks using their ransomware, he noted.
In addition, analysts said collaborations among ransomware groups, encryption-less attacks and cryptocurrency services also allow more hackers to target companies and facilitate their movements, driving up the number of ransom cases.
WHAT SHOULD COMPANIES DO?
It is important to seek an expert’s opinions before deciding on a course of action, said analysts.
"Ransomware, just like any software, is not perfect, so there may be paths to recovery, such as finding a way to decrypt data or deactivate the ransomware," said Dr Kerrison.
A ransomware attack is a long process that "lasts for days, if not weeks", said Mr He.
There are "multiple occasions" where related suspicious activities can be detected and effective interventions can be performed to stop the final data encryption and prevent data leaks, he added.
"Before the actual data encryption, cybercriminals need to get into the victim servers first. This is called initial access … Such initial access offers as well as the sale of corporate credentials can be detected proactively by threat intelligence experts."
Mr Heng and Mr Backer also said that companies should have a zero-trust framework in place where no one should be trusted by default.
Companies should adopt "a comprehensive response strategy to mitigate damage" if they want to avoid paying the ransom, said Mr Backer.
"Initial steps involve isolating and disconnecting affected systems to prevent further spread, activating an incident response plan, and identifying the specific ransomware variant," he added.
"Organisations also need to stop the attack’s primary vectors, slow its spread, and work towards reducing its impact."
Another option is to rely on data back-ups to restore data and minimise potential damage, added Mr Flores.
"Despite the urgency of such an incident, it's critical to not act rashly," said Dr Kerrison, adding that companies should be mindful of regulatory obligations.
"Those thinking of paying a ransom should also consider whether doing so could be funding terrorism, which could land the company significantly more trouble than just the backlash from a ransomware-induced outage," he said.
